Home

This Plugin was created to help WordPress admins clean infections off their site. It was inspired by my own need to to clean up one of my BlueHost accounts after a pretty bad hack (see How It All Started). It is still a little rough around the edges and I want to add many new and exciting features. It is currently being offered completely FREE of charge, though it did take quite a lot of time to develop, test, and make nice.

This project will continue to need my energy to keep it effectively getting rid of new threats and patching new vulnerabilities. That is why I am asking anyone who can, to please make a donation to keep it going.

Yes, All know variant of this threat should be found by the Complete Scan if you have the latest definition updates for my plugin. Please let me know if you have a new variation of this threat that it still not being detected so I can look into it more.

My site is infected with malware where the search engine bots see completely different content with what human sees. Have been searching for the infected file but with no result. Does this plugin able to find those malware and remove it from my site?

Hey, just found your plugin, thank you so much for making this! 2 questions:

1. How long do scans typically take? I’m sure that varies with the size of the site but it’s showing over 300 minutes for a site that isn’t that big. Does that seem right?

2. I’m running this for a client who has 2 infected websites on a shared host under the same root folder. One site I can scan the individual website folder (eg: mysite.com) but the other site will only let me scan the public_html folder which I saw in the comments you don’t recommend + its also taking forever. How can I change it from the public_html folder to mysite2.com folder?

1. No, that’s way too long. There are many variable that affect the scan times for various sites but it’s usually between 10 and 30 minutes for the Complete Scan.

2. It sounds link the site installed in the public_html directory has a bunch of other sites installed inside that same directory. You can click on the link “public_html” and it will show you a list of sub-directories, then you can either just select the ones that you want to scan or you can add the names of the sub-directories that you don’t want to scan to the skip list.

Every time i have a serious problem in a many websites for years – The Eli plugin always helps me and guides me to find the problem or solves the problem by itself completely. I have donated and will do in future also . All who are saved by this plugin also donate for this very helpful plugin – to give something back to the creator. Thanks for everything

Good day.
I love your plugin, but before anything I need clarification on the following, please;

1. Does donated account have any special feature(s) added, or its still the same even without donating (difference between the free and donated acct)?
2. Does the plugin indicate (on the plugin UI) that one has donated?
3. I believe it blocks malware and virus, etc. But can it automatically remove as well?
4. Does it automatically scan all the parts of the site or one has to manually initiate the scan (because the scanning process takes time) ?
5. Does it matter how much I donate (what are the difference)?
6. Does it scan every part of the site files (host server)?

Of a truth, you deserve to be donated for your effort, because out there people spend lots of money protecting their websites – but here its a different story with the same (or even more advanced) features. But like I said I need to clear my doubts.

The default firewall setting protect against the most common external threats to WordPress sites. If you donate $15 or more the additional Brute-Force Login protection becomes available.

The main function of this plugin is to find and remove malicious code from your files and your WordPress database. You can choose to scan all the files in your site_root (whatever directory your site is configured to load from), or just the wp-content or just the plugins. For efficiency the scan will skip certain file types that are unable to executing PHP code and also empty file (that contain no code).

You can download the latest definitions of known threats manually or if your donation is $29 or more then you can enable the Automatic Update feature with includes the core files definitions.

Once you have made a donation it will show up on the Anti-Malware Settings page in your wp-admin and the premium features will then be available.

I have already donated and will donate again – in the same account because this plugin is very valuable…
But when I installed the plugin, there isn’t a place to “register” it anymore. There used to be a place to enter my account information… Please advise.

If it says that you are not yet registered then you need to click the button that says “Get FREE Key” then you can register that key to your existing account under the same email address as your other keys

Good morning. I download the plugin three days ago because my site was hit by a Pharma hack. I ran the scan a few times, but it never really finishes. As of now, its’a been running for two days and is still at 0%. I wanted to see if it is working keeping and donating to, but does it really run this slow?

The site redirects to a Pharma site when clicking the Google listing. It also is not allowing permission to to wp-admin/admin-ajax.php file.

The scan is not working at all on your site because of that issue with your admin-ajax.php file. You can try the Quick Scans but they may not be able to finish either if you memory_limit is set too low. The Complete Scan would be best but it requires the admin-ajax.php to be working properly. check the permissions on that file and then also check your .htaccess for any rules that may be limiting your access to that URL. Once you get that issue resolved then the Complete Scan will start working for you.

Good day, I have scanned and cleaned with your wordpress plugin, moved to new hosting company with better security and this malware or virus keeps on coming back. It is as if no one can identify it or wordfence is installing this virus to force people to buy their useless software.

It infects *.php files with this type of autogenerated text and then I presume 1st step is it creates a 592386794.php or similar file looking file.

Anyone that has a clue where is the root of this or is my hosting cpanel infected and contaminating my wordpress installs ?

I really don’t think that Wordfence is installing virus on your site. If you have moved your site to another host and it’s still getting re-infected then maybe the root vulnerability was copied to the new server … and the security on the new server still is not good enough

My plugin will clean these infections and record the infection times in the Quarantine. What you need to do is find the access_log files on your new server and cross-reference the exact infection times with any activity in the logs so that you can pin down how this infection is getting in. Let me know what you find there or if you need any more help. Also, I do offer Super Secure hosting to those who really need it (like you) and I know the security on all my servers is good enough that you wouldn’t be having this issue if you were hosting this site with me Email me directly if you want to move your site one last time and never worry about it getting hacked ever again!

Great Plugin – being using it for years. And I contribute when I can.
Something interesting today. Someone has been trying to hack into one of my WordPress sites by login in as safe-load.gotmls.net
What is interesting to me, is how they found out I am using your plugin. Any idea on what is going on here.

Yes, When a hacker or bot tries to login to your site while you have the Brute-Force Protection enabled they will get redirected to safe-load.gotmls.net (my site for capturing these failed attempts). They must have found themselves their and mistakenly thought that maybe your login would have something to do with that URL

I am working on this feature but scheduled scans are not available at this time. Because of the way the scan engine is written it is very hard to get the complete process to run in a cron job. I will let you know as soon as this new feature is ready for testing.

I stopped posting on Twitter because not many people were using it and it is difficult to post meaningful and complete answers to questions posted there with such a limited number of characters.

It’s also true that I have not created any new posts on the blog but I still use the forum on the site and I reply to every comment. I usually respond right away but it took me a few days to to get back to you because my grandson is in the ICU and I’ve had to travel to stay with him during this difficult time.

If you have any questions please feel free to post them on my site or on WordPress.org and I will get back to you as soon as I can.

I have been working on a scheduled scan feature for a while now and I think it will be ready for testing very soon. I just need a little more time to work on it, make sure there are no bugs, make sure the performance is optimized, and do some BETA testing in the field before I will be ready to offer this to a broader base of my users. I can let you know when I’m ready for testing…

If you have WordPress installed into the root directory of the main site and all the other sites are installed in sub-directories under that site then you can install my plugin on the main site and it will scan all the other, but this is not recommended and it may take a very long time to finish the complete scan of all the sites. There are also other specific features and protection that are only active on the sites that have my plugin installed directly on them so it is still a good idea to install the plugin on every site.

First of all, my Anti-Malware plugin will remove all Known Threats for you without making any donation. You just need to register your FREE Key and then you can download the latest definition updates.

If you register all your Sites/Keys under the same email address then you can make one donation if you want to unlock premium features on all those sites!

If you donate just $15 then you can activate the Brute-Force Login Protection in the Firewall options, but if you donate $29 or more then you can also enable the Automatic Update feature on all your sites.

I host a lot of very small free sites for friends and non-profits and all sites on one IP address were hacked. I’ve had trouble getting other malware removal tools to remove it, but your plugin seems to have completely cleaned up one of my sites.

I tried to install on another site (noted above) but it won’t accept the registration.

I will definitely make a donation (though modest as I’m already losing money keeping my server up). Do you have any option for me to get a license to work on all of the sites? (may 15-25… still digging to find out which are active) – instead of trying to register all individually?

I appreciate any help you can offer in getting this current website registered and guidance on how trying to register others does not get blocked.

If you register each Sites using the Key under provided on the pre-filled registration form on the Anti-Malware Setting page in your own wp-admin and use the same email address on each registration then all your sites will be on the same account and one donation will unlock the premium features for all

Does this plugin scan the database and fix malware there?
Since i am using pro version but the virus seems to occur again and again after fixing. I have a doubt that the virus is actually in the database which is why its occurs again.

If it is removing these threats but they are coming back sometime after that then your server still has some vulnerability that is letting the hacker in. It could be another site hosted on that same server, if you are on a typical shared hosting account then it is likely very easy for the malicious code to jump around from site to site and come back to your site over and over. It would need to be removed from every site on that server or you would need to move your site to a more secure hosting environment.

Can you tell me what level of donation includes everything, i.e. monitoring, automatic update/clean up, etc.?

Also, 85% of my websites are html only but were subject to hackers in January. If I add wp in a subdirectory (like domain.com/security) and install the plugin in that directory, will it protect all the content in the public_html folder?

This is a self-help plugin for end users like yourself to use to check and clean your own site on your own time. I do not currently offer any monitoring or clean up services beyond what the plugin can do for you. If you donate $29 or more then you will have access to all the current premium features on all your sites registered under the same account/email (including: automatic updates, core file definitions, and the brute-force login patch).

Yes, you can install WP into a sub-directory and then use my plugin to scan the root site. There is also another possible options for scanning HTML sites. If those sites are already stored inside a sub-directory within the public_html folder for the main website on your hosting account then you should be able to scan them all from that main site if you install WP there.

But the easiest way to install any WordPress plugin is from within the wp-admin of your own site. Just go to the Plugins menu on your own wp-admin page and click on “Add New”, then search for the plugin you want and click Install and then Activate

Just install and activate the free plugin. Then register the installation Key from the pre-filled registration form on the Anti-Malware Settings page in your wp-admin. Once you make a donation of $29 or more then all the premium feature will be available to any sites registered to your account.

Thanks for sharing this amazing plugin on WordPress Plugins to easily run a complete scan to automatically remove known security threats and backdoor scripts from WordPress powered website or blog. It is helpful!

This malware is in my latest definition updates. Please make sure that you have downloaded the latest definitions and then run the Themes – Quick Scan, or the Complete Scan on the wp-contents if the Quick Scan fails. It should then show the infected files and you can click the automatic fix button to clean those selected files.

If you have trouble with any of this then please send me a screenshot of the scan results so that I can see what’s going on.

Great plugin. Thanks for keeping this going. I’m using it following an infection just to make sure I found everything.

Two questions:
1) The first time I ran the plugin (pre registration) it flagged a lot of files as suspicious. Once I regiestered and donated, it no longer flagged these files. Is that just a result of having updated and better definitions?

1) Yes, once you register and download the latest definition updates then the plugin can find and fix Known Threats so there is no longer a need to guess at Potential Threats.

2) Currently (as of version 4.17.69) my plugin scans the filesystem to remove Known Threats in the code. I am work on a DB Scan now that will find and remove any SQL Injection in your database. This feature should be available in my new plugin release (coming soon).

There is a brief Scan history on the Scan Settings page and I am working on adding more details and rescan options to that for a future plugin update. You can also find a complete and detailed history of every threat that was fixed with myplugin on the Quarantine page in your wp-admin.

Hi, I found your plugin after all of my sites (15 separate web sites) were blocked by Microsoft on 27/04.

I downloaded, installed and used your plugin and it was very easy to set up and use. I ran a full scan on one website and no malware or threats found – which was reassuring although I wasn’t sure whether there may have been something it hadn’t found. Anyway, Microsoft has since unblocked the sites so all is back to normal.

Thank you for developing a great plugin that will hopefully keep my websites malware free. In return, I have donated your suggested $29 fee.

One question: On your Donations page it states I can use the plugin on as many sites as I want?

If so, I have installed it on a second site and it wouldn’t let me use the same installation key, I had to re-register the plugin again. Because of that, I couldn’t enable the ‘Core File Changes’ definitions or updates, it states: “Donate $29+ now to get Automatic Definition Updates and use the Core Files definitions.”

I have used the same credentials to register on three of my separate WordPress sites so I need to know whether each site requires a new key and a new donation of $29 or if not, what I have missed?

Look in the Anti-Malware Quarantine to get the exact infection times and then cross reference these times in the access_log files on your server to find out if there is a script on your site that is responsible for rewriting these infections. If you find anything suspicious please send it to me so that I can examine it. If there is nothing in the log files at the time of these infection then your server is infected at a root level and you should probably move your sites to a move secure hosting environment.

I’m not sure why it has stopped working for you. You could check your browser Console for JavaScript errors and disable any BHOs that might be blocking the update script. You can also look in your error_log on the server to see if it is being blocked by something on the server.

If you can find anything wrong please send me a direct email with a screenshot of the Anti-malware Settings page in your wp-admin so that I can try to help you further.

First of all I love your plugin, it’s saved me loads of time cleaning infected sites for various clients.

Can I just ask if you have any plans to support WP-CLI so that it is possible to schedule updates and scans from the command line, this would be incredible useful and would definitely cause me to set up a regular donation to support your work.

Thank you for your time. I installed and ran the program. It only found potential threats. But I ran on Sucuri again and it shows that there is Malware. Not sure what to do. Any advice much appreciated.

Regarding Multisite installation, I was wondering what would be the best practice and hope you may elucidate that for me.

Let’s say that my primary domain is MyDomain.com and at this multisite structure I only have several sub-directories such as: MyDomain.com/site1, MyDomain.com/site2, MyDomain.com/site3 and so on, with no other different domain on it. What would be the best choice from the bellow options?

1) Let’s suppose that I install the plugin but leave it active only at my primary domain. Once I scan it, will it scan every other site (subdirectory) on my network? Will the sub-directories be protected against brute force attacks at their specific WP Admin Login pages? In other words, with a single installation at the primary domain with the proper setup of the Sacn Settings and often looking for New Definition Updates to keep it updated, will all my sub-directories be protected as well?

2) If I install it at the primary domain and activate it through the entire network but I only setup the proper Sacn Settings and regular look for New Definition Updates at the primary domain, would work better than the first choice above? I mean, in this case will the scan go through every subdirectory and all login pages be safer against brute force attacks than the first option, but still easy to manage it through the scan setting and regular updates on the primary domain?

3) Or neither one of the choices above would be the best practice and the proper approach would be install and activate it through the entire network (with the same email address as I have read in other comments), but setup the Scan Settings individually and look for New Definition Updates very often in each one of the subdirectory WP admin panel?

I hope I have made it clear and you could help me out advising the best approach for this particular scenario.

First, to be clear, multisite installations use the same set of core files for all sites. That is why only the Network Admin can access the setting and run scans. Also, as a Network admin you can run the scan from any site and it will scan the same files.

Now for the best practices for a multisite installation: after installing the plugin it would be best to Network Activate it from the Network Admin menu. Then you should go to the wp-admin for each of the sites and register the uniquely generated installation key (you can use the same email address for all registrations so that they will all be on the same account). You can also change any settings or firewall options that you would like to on each site.

You can run the Complete Scan from any site as long as you are a Network Admin.

Just one last doubt. Since the scan may be managed from the main site, what would be the best practice regarding the Download of New Definition Updates. If I check the main website admin panel constantly to keep it up to date and run the scan from there, would I still need to worry about Download the New Definition Updates in very single panel of my Network?

Been using this on most sites I run for a number of years now. Have pretty tight security with iThemes Security Pro and Wordfence Pro. On the odd occasion something slips through and gotmls cleans up the mess. Ran into major problems today on a new site for a client. After panic stations gotmls sorted the problem out.
A must have piece of kit for every website I build.
Five stars+

I launched a “complete scan” and right now, I just have the following information “Complete Scan of www started 20 hours ago and has not finish” without further indication of how much is actually done and/or how much is remaining to be done. I left the default settings : “Scan Depth -1″ and “skip files with the following extensions…”.

It sound like the Complete Scan was interrupted before it was able to finish. You have to stay on the scan results page as it runs the Complete Scan and then fix any Known Threats that it finds before you leave that page.

No, I’m not actually. I was just sleeping (most humans do that sometimes). When I woke up this morning and got to work I saw and replied to all your comments. Perhaps you should wait more than 5 hours and 6 minutes before jumping to conclusions like that.

Anyway, If you are willing to give my plugin another try and send me some screenshots of the results you are getting then I am sure (with a little patience) you will find that my support is very professional (especially when you consider that the both the plugin and my support of the plugin are free).

What do you mean that there is no way to remove the malware? Does it find the Malware (there should be an automatic fix button)?

I just replied to your other questions that you left on the Members page. I tried to update you account to use the core files definitions in the hopes that it would help you but it would appear that you are not using my plugin a ny more. You should try contacting me directly for more help as I don’t feel like you have provided me with enough info to really help you.

It looks like the only thing that is still not fixed on your site is that the site Title has been changed to “Hacked By Pak Monster, etc., etc…”. You can change the Title of the site on the General Settings page of your wp-admin or you can check the header.php file under Appearance -> Editor. Please let me know where you find it.

Trying this wonderful tool, so far I love it. Will definitely donate as soon as my cleaning finishes.
Just a recommendation, on each site I am running it, I have to manually delete .ico from the exclusion list (skip names)
I am having endless threats shit in form of .ico named like favicon_239e5e.ico, favicon_dec111.ico, favicon_e69c66.ico
So, maybe ICO don’t have to be in the skip by default.
anyway, now I deleted ALL the skips and scanning even jpgs ))))
I always wanted to be a carpenter

Thanks! I set the ICO and other image file type to be excluded by default because those file types cannot be executed directly by your server when they are called up in a browser, they are essentially harmless on their own. It take another PHP file with an include statement to invoke the malicious code in an image and so that is what my plugin looks for by default, effectively rendering the code in the image file useless. You can change those defaults as you have done and this will help you with a thorough cleanup but it will also take a long time to scan all the binary image files that are harmless, so it is not recommended by default.

P.S. I too find a sense of joy and satisfaction in building stuff out of wood

This error indicates that the additional security JavaScript that was added to your wp-login page was not working when you tried to login. When I checked your login page I could see tha the code is active and working for me. If you try it again and it’s still not working for then you should check your browser settings for popup blockers and make sure that there are no JavaScript error on the page.

Actually your site is now clean. Sucuri caches their scan results so you were seeing the old problem that had already been fixed by my plugin. At the bottom of their scan results page it said:
*Cached results from more than 2 days ago. Force a Re-scan to clear the cache.

Yes, It’s probably malicious JavaScript output that is invoking this redirect, but the source might be encoded in a PHP script, if so then my plugin should find it. If it’s not in a PHP file or my plugin is not finding it then you could check the content of your pages and posts to see if the JavaScript was inserted there, You could also check for text widgets with JavaScript inserted into them,

If you can’t find it then you can contact me directly through email for more support.

I have a new client who I’m scanning their server. It has been running for about 14 hours now, but it stopped counting time at 695 minutes. The activity at the top has kept moving, but it says “Re-Scanning …” and the Scanned Files count has not increased.
They are using 1and1, so I understand why it is painfully slow, but I would like to see some progress.

It might be stuck in a loop trying to rescan all the folders that it has not gotten to yet. There may be a recursive symlink in the path or there are just too many subdirectories to get through them all before your server is timing out. You can check the error_log files on your server, they may hold some clues as to why the scan is getting stuck. You should also make sure there are no cache files in the path, that can make the scan take way too long and the cache files should be deleted anyway if you think the site might be infected. You could try scanning a smaller amount of file by only selecting certain subdirectories at a time (Click the folder names under “What to scan” and select one at a time per scan).

You could also consider moving the site to a faster and more secure server

I hid my wordpress login with wordpress security and get this error message. How do I get help fixing this? Can you help? I am locked out…jg

Warning: include(/homehdd/ggholson/public_html/wp-content/plugins/gotmls/safe-load/session.php): failed to open stream: No such file or directory in /homehdd/ggholson/public_html/wp-content/plugins/gotmls/safe-load/wp-login.php on line 17

There seems to be files missing from the installation of the gotmls on your site. You should try deleting the whole gotmls folder in the plugins directory on your site, then you can reinstall and it should work fine.

The scanner reports a backdoor alert from a sucuri file. This is a new client’s existing website, so I don’t know if he’s ever had a sucuri account. The file sits on the root and starts with sucuri- then a bunch of alphanumerics. Is this anything to be concerned with?

BTW, I’ve already donated, but not through my account or the plugin. It’s from the same PP email I used to register.

/* Encoded to avoid that it gets flagged by AV products or even ourselves */
$tempb64 =
base64_decode(
$my_sucuri_encoding);

That code is not part of the sucuri plugin. It looks like something sucuri might have put on there if you hired them to fix your site but I can’t be sure. You can remove that code and it shouldn’t affect the functioning of your site.

It’s a great plugin but the issue is that i run the scan and it has removed the malware but after sometime it is again infected. It is malware code can you help me . Do you have any definition for this malware ?

Ha, the hacker messed up on the first injection and the Hex code was not escaped properly, so the first part of that code does not even work as they had intended it to, they got it right the second time though. I have added this new bad hack to my definition updates so it can be completely removed now.

The bigger issue for you is: How did they inject that malicious code into your site in the first place, and will they try to do it again?
If your server still have the same vulnerability then you may still be susceptible to reinfection by this threat. Keep in mind that it may not even be your site that is vulnerable but possibly another compromised site on the same server that is spreading the infection to your site. If you are on a shared hosting plan then you should seriously consider changing hosting providers.How many site do you have on this host and do you have any other hosts you could easily move to?

I’ve also been infected with this bad hex code injection, lot’s of .php files injected in the server (shared hosting with 42 sites right now). I think i need to step out this shared hosting thing (keeps giving problems). Why do hosters still aprove this?

The typical shared hosting account is particularly susceptible to cross contamination, witch is what makes it such a target for hacker. I don’t know why the hosting providers don’t protect their clients more except that they usually benefit from the opportunity to up-sell you to one of their “more secure” hosting options, usually at some much greater price. I myself have created a Super Secure Hosting environment that solves this cross contamination issue. It is admittedly more costly than the shared hosting plans from the mega giants, but with my focused on security I have found a way to prevent this cross contamination threat. If you would like to migrate your sites to a new secure host then you can contact me directly and we can work on a hosting solution that meets your needs.

I did a scan with your plugin, then did “fix selected files”, and now…only my homepage exists. Everything else (my blog, my about page, etc) have gone to 404 Not Found Error. (Which is slightly better than the Canadian pharmacy, I guess.)

Check your .htaccess file in the site root. The hack might have replaced the normal WordPress code, and now that the hack is gone there may not be anything there. You can go to the Permalink Settings in your wp-admin and save the setting on “Plain” and then change it back to “Post name” or whatever it was before, and that should rewrite your .htaccess file for you.

In general I would say that there are all sorts of differences between the great many security programs out there, each one with it’s own strengths and weaknesses and having a wide range of quality and value to offer. I try not to say much about my opinions about other specific security software/providers and I would not like to be compared to Sitelock in any way, but I would have to agree with you that their prices are too high

Anyway, the nice thing about my plugin is that you can try it for free and let me know what you think

Hello. I just did a scan. I’ve fix all items.
After 20 min, I have already found new malware folders and files in themes and root.
How is it possible? I also did update with $ 14 donation. can you help me?

It is common to be targeted for automated re-infection once your site has been breached. The server may have a root vulnerability or a scheduled task that will cause your site to get reinfected on a regular basis. There may also be many other infected sites on that server that are spreading the infection around and helping to keep this virus alive on that server. Is this a shared hosting account? How many sites tdo you have on this server?

It sounds like you need to get your sites off of Hostgator and onto a server where they will not be reinfected any more. I offer Super Secure Hosting for this exact reason and your sites will not get reinfected on my servers.

Because it is designed as a plugin for WordPress it cannot currently be run directly on any site without WordPress installed. I have plans for a stand-alone version but it is not finished yet. I the mean time you can either install WordPress on that site of copy the files from that site into a subdirectory on another WordPress site to scan it.

There is no error on that line or in the code you copied here. However, I did notice that this code on that line was from an older version of my plugin. Please upgrade to the newest version and then, if you are still getting an error, please send me a screenshot of the error you are seeing so that I can find the true source of that error.

It does not matter how many posts or photos you have, that will not make it take longer. Besides, the problem you are having is not that it’s taking a long time but rather that the scan is not finishing (maybe ever).

Quick Scans only take a few minutes. If it’s not finished in a few minutes it’s not going to finish.

As for the Complete Scan, I’m not sure what you mean by “timed out after about 10 seconds”. Can you send me a screenshot of that?

It ma also help to check the error_log files on your server to see what is actually causing these problems you are having.

Hi , Just download your plugin. I just found my malware script here. but how to remove it from my website it. Its been affected all of my .php files and published. So google gives me RED warning. Please HELP HELP HELP

Just use the same email address when registering all the other sites and they will all be under the same account. Donate as much as you would like on site that is registered to that account and you donation will be reflected on all those sites

Hello,
I just downloaded your plug. I ran the scan and a threat was identified in Read/Write Errors. There was no repair button with the link it identified when I hover over the link I get a message “failed to read this file! (readable? Eww-r–r-r–]). Since I am a novice at this (or anything that falls under IT/programing), I was wondering if you could let me know what I need to do next.
My email has been spoofed and I am receiving up to 100 “undeliverable” email messages an hour. I was able to figure out that the spoofer used my shared server to get to me…and yes, I have now been educated on why not to use a shared server (and will be rectifying the issue as soon as I can get the “undeliverable” email notifications to STOP!!

Read/Write errors, by definition, cannot be fixed automatically. Those are files that my plugin could not read or write to, therefore my plugin cannot fix them for you. It does not mean that those files are malicious but you will need to investigate and fix the permissions manually (with escalated permission because anything running under PHP, like my plugin, will not have the necessary access).

I recommended this plugin to all wordpress admins.. I installed this plugin and find malware scripts in Potential Threats .. My malwares is for sending automatic emails and all scripts is with extension .php … So i suggest you all to open files in Potential Threats and check all.. Again, great plugin, Thanks

Eli,
I have a serious problem. I am under constant attack for 2 of my blogs where I have installed your plugin. The point is that today Google blacklisted both of my blogs because of malware… I’ve got the following message “Warning – visiting this website may harm your computer!” and from Google search you simply cannot access these sites.

I am asking you do you have any solution for that, because as soon as I clean the site using your plugin at once after some time, maybe even hours it is affected again. As Google needs 24 hours to put site back again it will be again affected and it is practically dead.
PLEASE ADVISE!
Primoz

Your sites are clearly not safe on the server you are current hosting them on. In order to keep them from getting reinfected by this same exploit you may need to move them to a more secure hosting environment. I do offer Super Secure Hosting for situation such as this. You can sign-up for my hosting here if you need a place to host your sites that is safe from these hacks:https://supersecurehosting.com/signup/

Hi – great plugin. I’m getting this message in the admin window. Can you please tell me what this means?

“Another Plugin or Theme is using ‘Bot_ContentGenerator::addLinks’ to handle output buffers.
This prevents actively outputing the buffer on-the-fly and will severely degrade the performance of this (and many other) Plugins.
Consider disabling caching and compression plugins (at least during the scanning process).”

That message means that there is some code on your site that is invoking an output buffer handler which can alter the content that is displayed on your site. It is difficult to detect exactly where that code is included but my plugin should find it if you run Complete Scan with the latest definition updates installed.

As the notice on those results states: Those files are likely not malicious at all. So you don’t need to do anything with them. That’s why my plugin does not automatically fix them. However, if your site is still infected and there are no Known Threats (in red), then you may want to have a professional take a look at those files first to see it the infection might be in those somewhere.

My plugin should find and clean all those malware infections if you have the latest definition updates, even if you do not donate. However, if you do donate at the $29+ level then you can use the Automatic Updates to install the Core Files definitions and that should make the scan and fix process faster, more accurate, and more effective overall.

Please feel free to contact me directly with more specific info about your site and your infection if my plugin is not finding it for you.

There are different feature available at different levels of donations (explained in red next to locked features). You should feel free to donate as much or as little as you want, but basically everything is unlocked at the $29+ level for as many domains as you want

I received a message from my hosting that my site had been infiltrated by phishing malware. I tried to run a “Core Scan”, but at 31% it had found a backdoor script but stopped scanning. A pop-up indicated that there was either not enough memory or something else was preventing the scan from completing. The pop-up instructed me to use the “complete scan” feature to scan the site. In so doing the “complete scan” completed 100% but found no malware. How is this possible when the core scan resulted in at least one issue? I have been asked to close my site for maintenance until this issue is resolved. Google Safe Browsing Diagnostic is indicating that my site is “Partially Dangerous”. I sent an email to eli AT gotmls DOT net regarding this issue, and received no response. Please acknowledge and advise. Thank you

I replied to your direct email 7 days ago, right after you sent it, please check your spam folder.

Did you Fix the Back-door that was found when you ran the Core File Scan? It does not need to reach 100% for you to Fix the problems that it finds. I don’t know of any reason why the Complete Scan would find less than the Quick Scan unless you already fixed that threat or if you are only running the Complete Scan on the plugins and the prior threat was not found in the plugins at all.

Please try the Complete Scan on the whole site, look for any problems, and let me know what you find.

I have installed on 2 of my blogs your anti-malware software which is great. But I have special problem, that intruders put malicious code on a regular basis and I need all the time cleaning my blogs. Do you intend to create a scheduled software triggering?

You can run my plugin on multi site or on as many individual WordPress installs as you want, and if you register each site with the same email address then your donation will count for all of your sites

Installed the plugin to remove a hack from a test site on a subdomain that we were using. But now I can’t login to my regular WordPress site. I need to either remove the plugin OR figured out how to get around this error message:
44360641

You have been redirected here from (website) which is protected against brute-force attacks by GOTMLS.NET

This is caused by a JavaScript error on your wp-login page. The Events Calendar plugin on your site it throwing a warning and because your server is set to output warning it is breaking my JavaScript output.
On line 49 of …/wp-content/plugins/the-events-calendar/common/src/Tribe/Admin/Notice/Archive_Slug_Conflict.php the error is:
“in_array() expects parameter 2 to be array, boolean given”

To fix this problem you can either deactivate that Events Calendar plugin or fix the code in that plugin or disable the displaying of PHP warnings in your server’s php.ini file.

Please let me know if I can be of any further assistance in this matter.

awesome! thanks so much..im worried that the issue may be bigger than I thought as I did a google search for the website and see pages that may have been created by hacker, which is causing the website to be flagged..any suggestions on what action I should take?

hi there! I recently signed up for my website, and I love this! However, I got a key and used it on here to sign up and register, but when I log in to wordpress, the right bar says “No key!” also, is the scan actually working??

Use the “Get FREE Key” button on the right site of the Anti-Malware Settings page in your wp-admin. Then you the form provided to register the pre-filled key if it prompts you to, and then download the latest definition updates.

Then you can start a Complete Scan to find and remove any Known Threats

Thank you but it couldn’t possibly be my plugin that is changing your PHP version. Also, it only changes the .htaccess file when you click on the XMLRPC patch and then it only adds a Directive and doesn’t change anything else in that file. It must be something else that is messing with your PHP settings.

Just….. God bless you. Seriously. You’re the best thing that’s ever happened to me in 6 years of working with WordPress!

I haven’t donated yet because I just don’t have the funds, but I promise you as SOON as I get paid for my latest project, I’ll be donating just as much as I can.

I’ve been in tears over my server being completely inundated with malicious stuff – it’s been awful. I lost most of my portfolio websites and had to just delete most everything. Luckily I was able to get to the admin dashboard for the important sites and I’ve been just praying for a solution…

I’m currently scanning my site, debliz.com and so far (at 37%) your plugin has detected and fixed one htaccess treat, SIX backdoor scripts, and almost SEVENTY “known threats”!!! I KNEW it was bad… but my gosh!

There’s also 23 “potential threats” … I’m not sure what to do with them – but I’m tempted to just let your plugin ‘fix’ them without even checking into them. I’m so unbelievably grateful to you for all of your hard work.

You may very well have saved my entire web business. I cannot express to you how grateful I am. And I’ll show my appreciation monetarily as soon as I possibly can. THANK you so much again!

Thanks for your kind words and I see that you donated so thanks for that too

The Potential Threats are usually not malicious so my plugin doesn’t fix them automatically but if you are still finding malicious content on your site after the auto-fix of the Known Threats then you can click through these potential threats to view the suspect code and decide if it’s something you want to remove or if it looks safe you can leave it there. You can also send any Potential Threats to me directly and I will let you know what I think.

If your site is now clean and working fine then yes, it’s safe to delete the quarantine but it’s also safe to leave those records in the quarantine. Quarantine records are not a danger to your site and they can be helpful for investigating the source and method used to infect your site.

Hey Eli!
Thanks for creating this plugin.
It’s better than Site Lock’s anti malware protection.
I’m having a bit of a problem. When the scan reaches 93% it starts all over again at zero.
What’s up?
I’d like to get a complete scan and move on.

It’s not actually starting over “at zero”, it’s just going back to “re-scan” some of the files that it failed to read on the first pass. If your server’s memory limit is too low then there may be a lot of files that it failed to scan in bulk, but it will re-scan them and then it will finish. There may then be a number of read/write errors listed in your results, those would be the files that failed the re-scan.

The overall problem you are facing is entirely to do with your sub-par hosting. I would strongly suggest moving your site to a better host.

Thanks for a great plugin. I’ve spent the last few weeks tracking an infection on our main webserver with no permanent success. But your plugin has nailed the little bugger once and for all. Well worth the donation!

Just wanted to say how much easier your plugin has made to my life & management of my sites! Malware was constantly being injected into my WP sites so much so that Blue Host shut 2 sites down twice. I’d no sooner get them cleaned and I’d be infected again. The amount of money I paid for cleaning and patching was astronomical. I am not a web builder or coder and clearly I was taken advantage of. I found your plugin through a search, installed on sites, (very easy) and now I run scans on my own, clean what comes and have saved myself a small fortune. I have recommended your plugin to dozens of colleagues and I thank you so much for making this available to techies and non-techies (me)!>

Otto at WordPress complained about my plugin’s use of base64_decode. Even though it was totally legit (I use it to decode my definitions blob that stores an array of Threats) he suspended the plugin on wordpress.org saying that it was in violation of the WordPress Plugin Guidelines. I changed the PHP code into an array so it is “human readable” (not that it will make any more sense to most people than that Base64 blob did), but now I am just waiting for them to review the changes and restored the link to the WordPress Plugin Repository.

My plugin does not use up resource when you are not running a scan. If you have the Brute-Force Protection feature enabled then your server may white session information to the /tmp directory, that could be a problem it your tmp space is really limited.

Another Plugin or Theme is using ‘New Relic auto-RUM’ to handle output buffers.
This prevents actively outputing the buffer on-the-fly and will severely degrade the performance of this (and many other) Plugins.
Consider disabling caching and compression plugins (at least during the scanning process).

That warning is just to let you know about any code that has run ob_start with a custom output buffer handler. You should only be getting this message on the Anti-Malware pages in your wp-admin. If you are getting this on other pages then something is very wrong on your site. If you want me to take a look at it then you can send me you wp-admin login, but it is after 1am here so I will get some sleep first and check it out when I get up.

I have not yet used your plugin as we just came across it; my host provider actually installed this after an SEO malware infection was detected on the client’s site. I just have a question for you.

It is my intention to begin using this plugin on all our client sites, and I have no issues with signing up each individual client/site, and encouraging them to donate to you. My question is, how does the plugin work with:

A) multiple domains (domain.com; http://www.domain.com; http:// https://; parkeddomains.com)
B) if we install the plugin on an under development site (dev.domain.com) and then move it to the live http://www.domain.com, do we need to create a new account when we launch the site? If we register the account on the http://www.domain.com but install it on the dev.domain.com, will it work or create conflicts of any kind?

I need to know if this will allow a preemptive installation at the beginning of the development, or if it has to be the very last step after launch.

C) How does it work with Ecommerce sites where part of the website is hosted elsewhere? Example I have a client who’s wordpress that I want to protect is on http://www.domain.com but one of her “pages” is on domain.bigcommerce.com. Will THAT create a conflict? Should we create an exclusion rule so the 2ndary offsite store doesn’t weird out your plugin and create false postives?

D) What is the size of your installed plugin? We use Duplicator (Free version) for backups. Will this create an issue with the backups due to size (it doesn’t like files 3+ mbs)?

E) Will caching plugins create any kind of a conflict? w3-total-cache; wp-super-cache; wp-fastest-cache

A) It works fine with multiple domains/URLs, each domain must be registered with it’s own auto-generated key, but if you use the same email address then all the registered sites will be under the same account.
B) Just register the plugin again with the same email whenever you change the URL and it will not loose anything and there will be no conflicts.
C) My plugin will not effect, protect, block, conflict with, or otherwise interfere with any external site. It only scan the local file system on the server that your website resides on, and it only protects the WordPress site it is directly installed on.
D) My plugin is only about 400KB in total.
E) Caching plugins are a bit of “can-of-worms”… they tend to conflic with many other plugins in lots of inconsistent or unpredictable ways, and are generally not worth the trouble they can cause, IMHO. At the very least you should turn off caching and delete all cache files before running any kind of scan on your sites. Caching can interfere with the scanning process and also render inaccurate results. Cache files are temporary so there is not much point in scanning them but if they are scanned it can be tedious and time consuming for the scanning software and so it can dramatically increase the scan time.

I hope that adequately answers all your questions. Feel free to contact me again if you have any more concerns.

Hi, I just found out through Google that my website has been hacked. Apparently URL injection. This is added onto the end of my website address /INVICTA/10051027708.html
Can this software clean this kind of hacking?

It is hard to detect and differentiate HTML that advertises something you might want on your site from HTML that was put there maliciously that advertises something your don’t want on there. That said, my plugin will detect most PHP threats and vulnerabilities that would let a hacker put stuff like that on your site. It would be best if you delete that INVICTA folder if it was added maliciously and there is no important content in it, but it is also a good idea to run a Complete Scan of your whole site to look for the back-door scripts or other threats that may be exploitable so that that kind of content does not keep getting put on your site. If you have a chronic re-infection problem then you may want to look for a more secure hosting environment.

I do also offer Super Secure Hosting for $12/month per site, if you want to more your site to a server that does not get hacked

When I try to update the definitions, I get the following error:
unused

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, [email protected] and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

I made a donation under my initial email address and blog a few months ago, but we have since moved to a new sub-domain. I was able to update the definitions last month, so I don’t think that is the problem, but I guess it is still possible. Is there anything else that could be the problem?

I have installed the plugin on two websites hosted at Bluehost. I have run the scan 20 times on each website over the past few days and every second time the back door script is back and often there are 3 core file changes. I fix them each time, fo to my ftp file manager and delete new directories, but the malware keeps coming back and trying to send emails. Any suggestions?

You need to find out how these malicious scripts are getting planted on your server. The next time you get hit with these files you need to take a look at the timestamps on these files. There is the modified time, which might be help but can sometimes be forged, there is also a changed time which is surely going to indicate the exact time of the infection. This is the most important info you can get from these files and it needs to be examined and recorded before you make any kind of changes to these files. You can then look in the raw access_log files and cross reference infection times with any unusual activity to see what scripts were called at that exact time. This could indicate where your vulnerability is.

Scanning the main site may scan the files of the other sites if they are nested inside the directory of the main site. However, the scan works best on a single site and the firewall and brute-force protection is only active on the sites you have the plugin installed on. Therefor, it would be best to install the plugin on each domain. If you have a Multisite installation then you can Network Activate a single copy of the plugin to protect all sites.

If you are on 4.2 or 4.2.1 then you should definitely update to the newest version which is currently 4.2.4, but if you on a older version of WordPress then I don’t necessarily recommend upgrading to 4.2.X automatically. Call me old fashion but I personally like 3.7 and I have just update to the latest security release 3.7.10. I use the tried and true versions that have been around for a while and there are no known security vulnerabilities with 3.7.10 that I am aware of. Whereas, 4.2.X is still fairly new and they keep finding more bugs to fix which make is less stable and potentially less secure, IMHO.

You need to enable the Automatic Update feature to get the Core Files definition update. Once you run the Complete Scan with the Automatic Updates enabled you will have the option to check for Core File Changes.

I am the admin for this website and I cannot log into the back end of my website. The message I keep getting is You have been redirected here from http://www.greenwichneighborsunited.com which is protected against brute-force attacks by GOTMLS.NET & then the #5199346.
I have refreshed my browser, cleaned all cookines & cache, still cannot get in!
Please help me to be able to get back into my own website!
Thanks,
Dennis

#5199346 is a NO_SESSION error. So your browser in not maintaining a persistent session. I just tested you login page from my browser and I was not redirected so it is not a problem with your server or my plugin. You should check the security settings on your browser to make sure sessions are enabled or try a different browser.

There must be something blocking you from checking my server for updates. Check the error console in your browser to see if it will tell you why the update server is blocked. You may need to change the security settings in your browser or try another browser.

Hi Eli,
On scanning my website the result is 1 known threat, and it highlights the code lines as in the image attached https://dl.dropboxusercontent.com/u/3546925/Threat.jpg . Could you please have a look and tell me if this is indeed a threat as I want to inform the plugin creator to fix but I don’t know how to explain to him ? Thank you.

Thanks for send this info to me. This is actually a false positive. I found the reason for this file being incorrectly identified as a Known Threat and I have released new Definition Update that resolves this issue. Please download the new Definition Update and this file will no longer be flagged as a Known Threat. Thanks again for bringing this to my attention.

However, I appear to have a problem on a few sites that I’ve installed the plugin on. The full scan starts the process OK but sticks at 0%. I’ve tried running the quick scan and that fails too at between 30% and 54%. Memory is set to 512Mb on all sites. The websites are spread over 2 different servers and a few of the sites scan without a problem. Really stumped as to how to proceed further – I’ve retried the scans and left for several hours – any help/tips would be greatly appreciated

Thanks for reporting this bug. I found that the WP function current_user_can() cannot be called from the admin_init or admin_menu hooks in some versions of WordPress without causing a Fatal error in /wp-includes/capabilities.php. This is because it calls wp_get_current_user() which is found in /wp-includes/pluggable.php but not always included at this point.

This looks like a major bug in WP and I am not yet sure what versions are affected but I will be submitting a bug report to the WP Core team shortly. For now I have release a patch for this issue in version 4.15.22 that include the needed pluggable.php file before calling current_user_can.

Please upgrade to version 4.15.22 and confirm that that fixes the issue for you.

Hello,
I have just installed your plugin and it is scanning website….however I hosted my wordpress websites on ipage they have send me a list of 1500 + Malware and ask me to fix or remove it in 48 hours from there servers and I have around 20 + websites so will it work for all the website?
I am worried or else I have to buy another shared hosting who will allow me to host my websites ??? This ipage company is forcing me to buy sitelock which is of no use..I have read so many reviews in the past one week,,,,about sitelock …I have read a lot about your plugin and I am hopefull……

You should be able to clean all your sites with my plugin. I understand they have given you a very tight deadline. If all your sites are structured as sub-directories under one main site then you could scan then all at once from the main site.

Hi Eli,
I have a subfolder in the /wp-content/uploads named quarantine and an index.php inside that has a base64 line. Is this normal, is it something your plugin installed? That base64 coding looks strange to me. Can you pls have a look? Thank you https://dl.dropboxusercontent.com/u/3546925/quarantine.zip

Yes, That file is ok. It was written like that so that the HTML content could not be modified by hackers but I can see that it might cause more confusion than it’s worth to use base64 encoded output if people may jump to the conclusion that it is malicious code. I will alter the encoding of that file in my next release so that it is more human-readable.

I was wondering if it is possible to register multiple websites with one email address/key? I am a developer and I have a few websites under my wing.
Do you have any developer license options or anything similar?

If you donate at the $29+ level then you can use the automatic update feature to install the Core Files integrity check, that will also dramatically speed up the scan of the wp-include and wp-admin folders.

Your server does not allocate enough memory for PHP to scan all your files in a single process. Unfortunately this is very common on shared hosting that is designed to limit your consumption of shared resources. That is why it is recommended that you run the Complete Scan, this will take longer because it splits up the scan job into smaller pieces but it should be able to finish the scan at 100%.

Potential Threats are usually no malicious, but it sounds like you found some that definitely are. If you can send me the infected files I will add those to the list of Known Threats. Then you can download the new definition update and my plugin will fix them for you.

Alternatively, if you send me your WP Admin login I will have a look at them in-place and add the definition update for you.

As I told Dan, you can send me the infected files I will add those to the list of Known Threats. Then you can download the new definition update and my plugin will fix them for you, or you can send me your WP Admin login I will have a look at them in-place and add the definition update for you.

Suddenly several of my websites that are using the Malware plugin are redirecting to a error page. Example:
1046673
You have been redirected here from a site that is protected against brute-force attacks by GOTMLS.NET

Thank you very much! Your plugin rescued my website and saved me a lot of time by not having to use the backup to restore it. I did few other scans from some ‘pro’ antivirus plugins, but nothing seemed to work, and they ask for a lot of money to go premium with no guarantee that it’s going to solve the problem… With your plugin it’s different, I could test it first. Thank you so much! It was a pleasure to send my donation too.

If there is no option to Fix those 5 files then they are probably only Potential Threats not known malware. Only Know Threats and Back-doors in Red can be automatically fixed with my plugin. Potential Threats are probably not malicious anyway.

I’m trying to scan my page but the only thing that is happening is “Loading, please wait” and nothing more (for few hours). I tried with 2 pages and changed firefox to chrome (cleaned history, temaporaty files). What might be the problem? Plugin is registered and definitions are updated. Thanks for any help! Merry Christmas

Hi, I’ve installed this on a couple of websites I take care of, the one site ran the plugin and updated definitions/registered fine but the other two say “Could not find server!” all of them are hosted on hostgator. Thanks

The Definition Updates are checked via JavaScript so if there is another script on your admin page that is causing a JavaScript error it could cause other scripts on that page to fail. See if the Script debugger or inspector in your browser tells you there is a error on the page. Let me know what you find, or if you want to email me your WP Admin login then I’ll check it out myself.

I am having this same issue, I updated some sites and it updated the definitions/registered just fine and then some of them are saying “Could not find server” and all of them are hosted on HostGator on a dedicated server. Very frustrated and couldn’t find a javascript error that would fix it.

Hi guys. i have a site that when i look in google has thousands of pages attached to the domain so looks like mydomainname.com/playstation-wont-game-updates-a6c56 and when i click on the link it goes to my site but to the home page and says content not found

I ran the software but it says nothing wrong and has identified some files that all look legit?? in the Potential Threats

* NOTE: These are probably not malicious scripts (but it’s a good place to start looking IF your site is infected and no Known Threats were found).
They are to do with plugins etc

My question is how do i fix this and get these links out of the google seach engine please

If you have registered my plugin and downloaded the latest Definition Update then I wouldn’t worry about those Potential Threats. I am working on a new release that will make it easier to whitelist those legit plugins that use suspicious code. As long there are no more Known Threat (in red) then your site is probalby clean.

Google must have indexed your site when it was infected with malware and added links to all those fake pages. The fact that those pages don’t come up on your site any more is further evidence that your site is now clean. To get these links off of Google’s search results you’ll need a Google Webmaster Tools account (signup now if you don’t already have an account). You can submit a Sitemap under “Crawl” the tell Google what pages you wouldlike to be indexed. You can also Remove URLs under “Google Index” so that those 404 links get dropped from the search results.

After what seems like years (but only days) of trying to recover from malicious malware and SEO spam, I discovered your plugin which ‘seems’ to have fixed most of my websites.
Except one. When I run the full scan and attempt to fix some errors, it tells me that it could fix x number but not the rest. Then I run again and it fixes more. I have several thousand lines to fix so this might take me many weeks at this rate.

Am I doing something wrong?

BTW, I’m SO impressed with your plugin so far on the other sites, it was like magic!
Lamb

I just had another user with the same problem. They had over four thousand infected file but couldonly clean about 100 at a time. This is due to a PHP memory limit on your server. My plugin will fix them all in one pass if it can but if the process runs out of memory then it will stop and report however many it was able to fix on that pass. Then you just have to click the fix button again and it will keep on going through your list of Know Threats where it left off on the last attemp. It took a couple hours to get through a few thousand infected files on this other server but there really isn’t another way to do it. The only thing that might speed things up is if you can increase the memory limit in your PHP config.

It sounds like there are lots of limits in your php.ini file that are way too low. You can try increasing the POST sizi limit. You might even consider switching hosting to a better server. How many sites do you have?

If you want to stick it out the key is to fix a few at a time. If you start the Complete Scan over you should click the fix button when ever new threats are found. You can click and clean as it scans or you can pause and clean and then resume, but the key is to click the fix button often enough that it does not get overwhelmed. How long does a Complete Scan take to finish? If you keep fixing as the scan goes on then you should be all done when the scan is done.

Let me know if you need more help. You can also send me your WP Admin login if you want me to take a look at it personnally.

Make sure you have registered my plugin so you can download the latest Definition Updates. Then run the Complete Scan on the whole site (not just the wp-content) and fix any Known Threats that it finds.

Superb plugin and fine piece of works, which helpedc me to get my site clean again, after some more or less minor or major attacks!
Just a quest … i donated (of course!!!) … but having done that, your plugin tells me i hadnt …. could you please check and tell me?

Hi my friend, i am writing from Turkiye, my all sites hacked 7 months ago, and then my host suspended all my sites several times, i deleted all infected files, but i couldnt prevent.But one day i thought is there any plugin for malware, so i found your plugin and used.This is awsome, it protects me malwares, and i passed all virus check or security check sites, my site is clean, i am very appreciate.I will write an article in my native language, and i will say everybody to use this plugin.Thank you my friend, you saved my labors.Thank you very much, if one day you wanna come Turkiye, pls send me message…

Hi Eli,
Been using your plugin on my sites for some time now, and have donated in the past. All my sites with Bluehost are currently down. I’ve been told it’s likely to be malware. Is there any way of using your plugin through cPanel as I don’t have access to wp-admin?

Unfortunately you will need at least one site on the server to have a working WP Admin so you can run my plugin. If you can get your main site working I can get my plugin to scan all the site at once. If you need help getting a site working you can email me directly with your cPanel login and I’ll see what I can do.

I can see how your addition would quiet the error you were getting but I am more concerned with the circumstances that produce an empty $dir array. I don’t see how you could have my plugin installed in a lower directory the WordPress itself (even on a virtual server). How does __FILE__ resolve to a path that is less than 3 directories deep?

I would love to gain a more thorough understanding of what factors produce this result on your server so that I can release a plugin update that comprehensively addresses this issue. Would you be willing to grant me WP Admin access to your site so that I can debug this issue first-hand?

Please get back to me either way to let me know if you are willing to assist any further with this issue. Thanks

I’ve done a couple of scans successfully, but ran into one issue. A quick scan keeps occurring when viewing the scan section. It keeps automatically scanning, therefore preventing me from doing a full scan. Not sure why. I even uninstalled it + reinstalled it to see if I could get it to stop, but it’s permanently scanning and failing (reports that it can’t complete because of lack of memory).

The Quick Scan is meant to run automatically when you choose it off the menu directly, but it’s only good for small selections of files on a server that has enough memory for a single PHP process to scan them all. If you want to run the Complete Scan you can do that from the Scan Settings page. There you can adjust all the scan settings and then choose which type of scan to run (Quick or Complete).

The code you have here innocuous and will have no impact on your sites performance or security. I was likely part of a bug that my plugin removed and you should be able to remove without adverse side-effects but it’s not necessary.

I cannot say how thankful I am to Eli and his plugin. Simply the best support I have ever received from any company. I posted a support question and he literally emailed me in 30 mins and helped me through the issue. Amazing !! We cleaned 2 entire sites with Malware and saved me a ton of $.

I am having trouble with a trojan (Trojan.JS.Iframe) in the footer of my wordpress site/blog. I have the updated version of your program and have run the complete scan for wp-content AND for plugins , and am not finding the file being flagged that I think I should be finding. (ie; a woothemes file)

I have also been running wordfence scans which give the all-clear.
Sucuri is also giving me the all clear .

The problem here is that you have a php.ini file in your wp-admin directory with the memory_limit directive set to “64M”. I tried overriding this setting with the ini_set function in PHP and by using “php_value memory_limit 256M” in your .htaccess file but neither method will work on your server. I cannot change the php.ini file directly because it is owned by “root”, but maybe you can gain write access to this file and raise the memory_limit directive to “256M”?

Thanks for getting me the FTP login info. I was able to figure out what was blocking you from your wp-admin pages. It wasn’t my plugin, or even any of the other plugins that was interfering with the wp-admin folder. There was actually a custom php.ini file in the wp-admin directory that was using directives like ‘magic_quotes_gpc’ and ‘allow_call_time_pass_reference’ which are no longer supported in the version of PHP you now have on your server. I just rem’d out those two lines and your wp-admin folder became accessible again.

Let me know if there is anything else I can do for you. It would also be great to get a big fat donation from you for all that work and that would help me get to work on improvements for my plugin (like that non-WP wrapper you need).

Read/Write errors can be caused by abnormal file permission, zero byte file size, or files that are too big to match in a regular expression. It’s hard to say, without seeing the files, if they are a threat to you. Hackers are known to make their files non-readable so as to escape detection but there are always lots of benign reason for read errors too. You should first try to download the files via FTP and look at the file contents with a text editor to see if you can tell if they are safe. You can also use any good FTP client to check that the file permission right. Feel free to send me any files you are not sure of.

I don’t see any malware on there either but I see the warnings from Google. Do you have a Webmaster Tools account with Google? You should check for specific malware warnings in the health section of your Google Webmaster Tools account.

To request a review is a good way to resolve this but if there are still “infected” URLs on your site Google will not lift the warnings. On that same Malware page in the Health section of your Webmaster Tools there should be a list of URLs on your site that Google found to contain malware and when it was detected. This may indicate that you have a conditional redirect or some malicious links that only show themselves to the search engine. If this is the case, and my plugin has not found this threat on your site, then you can give me your WP Admin login and I will track down the source of this infection for you.

I ran the scan and it found a few items which it quarantined. But when I add my web address in a Facebook post, I see spam in the description so there must be something still wrong. Can you check it out? There are a few potential threats also. Thanks!

First let me say that I am really sorry fro not replying sooner. I completely missed the notification of your post.

I am guessing that this was a cache issue and it just took a little while for the facebook post to refresh with your cleaned up content. If you are still having any issue though please contact me directly and I’ll see what I can do.

Eli,
I love your plugin. I’ve used it on another of sites. However, when I tried running it on this website, it does not run. Also, when I click on Eli’s Blog
Anti-Malware, AVG blocks it and it says it found a virus JS/Phish. Do you have any suggestions on why it won’t run?

The Plugin Update section on the Anti-Malware Settings page checks the changelog on my site for updates. It displays the changes in those updates if any are available so you can see what’s in the next release. It displays this information independent of the WP repository or the WP Cron job that is supposed to let you know when any plugin updates are available.

I’ve been seeing examples of malware on all sorts of sites (even on big sites) that puts a doube-line under some words thus inbiting one to click (you can see examples on the front page of http://alrewascanalfestival.org) when one clicks you get taken to an innocuous-looking website that runs an ad or survey – clicking through may be a point of infection?

Anyway looking at the code on my webpage it has been hacked to read apprenticeship. Is this one that GoMLS can repair?

You are seeing these link on various websites because your browser is infected not the sites themselves. If I look at the same sites I don’t see the infection but you will see these malicious site even on sites that are clean. It is an Add-On/Extension that is installed into your browser that is embedding these link that you see.

Try running Malwarebytes or a good anti-virus on your computer. You could also try uninstalling the adware from the Programs in the Control Panel if you know what to look for.

I continue to be very impressed with your plugin and I thought the following minor cosmetic observations might be helpful:

1. This doesn’t always happen but sometimes the start of a full scan 609 folders were found – about 60% through the scan, that increased to 899 folders. At the end of the scan 893 folders had been selected and 899 scanned.

2. Normally the original estimated time to complete the scan was several given as 1-2 hours. As the scan proceeded, this changed to about an hour. On one recent occasion midway through the scan time elapsed changed to 22824335 minutes and time remaing to 17700505 minutes. As the scan proceeded, I noticed that only the last two digits of time scanned were changing at appeared to be the accurate number of minutes whereas time remaining had no apparent pattern and changed wildly.
At the completion (100%) of the scan time taken was 22824357 minutes versus an actual 57 minutes. Time remaining was -9139898 seconds and -6 folders remained.
3. The list of possible infections seemed to be concentrated in wp-content (plugins and themes] and I wondered whether only active plugins and the current theme were scanned [to save time] and, as such whether it was worthwhile to delete inactive plugins (and themes).
The other folder taking up a lot of time was wp-include and as most (if not all) of this WP core code would it be safe for us to exclude wp-include as a target for scanning?
4. Another plugin I use – not as good as yours! – flags a couple of WP core files as not matching the current WP version and when I check them I notice that they contain GoMLS code. Would it be practical to place this code in a non-core file like theme/functions.php (which I understand can be used for bits of code that won’t be overwritten by theme & WP updates)?
5. I have 6 websites all running from subfolders of a main domain. This creates a problem when I want to scan the main domain (waterwaywatch.org) because GoMLS offers three radio button options I have the choice of public_html (all subdomains which is tempting because it would check all domains but takes several hours) or wp-content (plugins & themes but not wp-admin or wp-includes?) or plugins (not much different to wp-content?) – could we have a multi-choice option of wp-admin, wp-content and wp-include?

These are all great points. I will give you a reply to each numbered accordingly:
1. This happens sometimes because of errors during the scan where folders were not read on the fist attempt are re-scanned, thereby increasing the overall scanned folders count. Some folders that are skipped or could not be read will sometimes throw off the total count.
2. I have only seen this happen when a second scan is started before the first scan finishes, throwing off the start time and thus the calculated time to completion. This could also be due to a system time update during the scan process.
3. Potential threats are a real gray area. I am working on improving the white-list, which will take care of most of these. It is extremely important to scan all files, not only active plugins and the current theme, because the threats are sometimes included or linked elsewhere and are therefore still active even if the plugin is deactivated. However it would be worthwhile to delete inactive plugins and themes, and un-needed backups (and any other un-necesary files) to save time when scanning. It is also just as important to scan wp-include and all WP core files because it is very common for these files to be infected. Therefore it would not be safe to exclude any directory from the scan.
4. If it is the wp-login.php file that is flagged as not matching the current WP version then yes, it should contain GOTMLS code. It would not be practical to place this code in any other file because it has to load before the WP bootstrap to prevent DOS for brute-force attacks on the login page.
5. As well as the three radio button options you also do have the multi-choice option of scanning only the wp-admin, wp-content and wp-include under public_html. Just click the linked “public_html” and select only the folder you want to scan.

I hope this helps. Please feel free to write me back with any more questions.

I’m using the latest definitions, I run quick scan it goes to about 61% and stops. It says there are 2 backdoor scripts. I run fix, it says its cleaned but it doesn’t remove them when i scan again, nor does it quarantine them. I also run a complete scan and it gets stuck at 99%, tries to re-scan but nothing happens. Below are the scripts it finds over and over again and does not remove them. Please help! Thank you.

Thanks for give me the login to your site. It looks like it actually is cleaning those files and putting them in the Quarantine. But because those are cache files, they are just being re-written by the w3-total-cache plugin. The folder it keeps getting stock in is /public_html/wp-content/cache/object/000000/b14, which is the directory that w3-total-cache is writing all the files to.

I would strongly advise disabling all caching and deleting any stored cache files (at least while you try to scan and clean up your site). Caching is a direct hindrance to removing malware because the cache can preserve the malicious content even after the threat has been removed. You also need to look at changing your .htaccess file to completely disable caching.

I have received other inquiries as to why the wp-login.php file is flagged as a WP Login Exploit on every install of WordPress, even brand new installs of the most current version. This is simply because WordPress has no built-in brute-force protection and the login page is exploitable. It has been clearly demonstrated through the recent widespread attacks on WordPress login pages around the world that it is not only vulnerable to password cracks via brute-force but it has been shown to overload and bring down a whole server if the attacks are too numerous. That is why my patch prevents the loading of the WordPress bootstrap if a brute-force attack is detected so that your server’s resources are not tied up telling hackers if they guessed the right password or not.

So basically, if my plugin finds that the first line of code in the wp-login.php file is loading the wp-load.php file without my protection before it then it flags it as a vulnerability. Applying my patch before this first line of code filters out this plague of attack so that they don’t even load WordPress and your server is free to serve the pages that your legitimate visitors are requesting.

I hope this helps answer your questions about this new threat and my approach to solving it.

This is a new threat that has not been added to my Definition Update yet. I can see the malicious iframes in the footer of your site. If you can send me the footer.php file from your theme then I will add this threat to my Definition Update so that it can be removed automatically.

Eli I have been dealing with malware for the last 2 weeks I have been flagged by google and now found your plugin! I have begun to scan and i ve found threats can you personally take a look at it! I will be more than happy to make a donation..I have 2 sites I think they have the same malware!!! THANKS

Sorry for the delay, it took a long time to scan one of the sites. I had to reset some of the scan setting and start the scan over, but both sites are clean and it looks like they are not even blacklisted any more (Google must have updated their cache already).

hi, i just want to say thanks a lot to you guys. the slideshow at the top of this website gave me the tips i needed and i found the fr**king malware on my client’s website and deleted it. will download the plugin all the same and install it for (hopefully not) future use.

When you install the plugin you should register it, download the current Definition Update, and run a Complete Scan to make sure there are no other threats, back-doors, or other vulnerabilities (and you should patch the wp-login.php file to protect against brute-force attacks).

Hi,
My client’s website seems to have been hacked. I have run the plugin, but I am not sure if I am doing it right as the malware seems to still be there. Please advise and I will donate money for your time and effort in a few. Thanks!

Thanks for sending me your login. I found and removed the iframes from the header and footer of your theme and your site is clean now. I also added this new variant to my definition updates so it can be automatically removed in the future.

The iframe example you tried to post did not come through. If you want to send me your WP Admin credentials I will login and find that malicious iframe for you and add it to me definition update so that it can be automatically removed.

Thanks for your interest. This feature is in the design stages now. There is one major update slated for next month, which is Automated Updates to the Definition. Then I will start testing the implementation of Scheduled Scans

It’s just me on this project and I donate my to making it better and helping people with infections. Donations to me help me justify the time I spend making this plugin better, so fee free to donate

I don’t think I’ll ever charge a fixed fee for this plugin, it has helped many people around the world that cannot pay, and I could never cut them off just because they don’t have the means to pay. I know this leaves the door open for a lot of people who could pay to not pay … but that’s their karma

I like this plug in. Is there a way to see what your auto fix actually changed so we can learn what to look for.

I was getting hit by these and my comments are set to members only. Your system found one issue in the WP-Login.PhP is that how such fools were able to comment on my site without actually joining. Have no posts with such garbage only a few comments.

Sorry for not replying right away. I have been swampted with this new wp-login.php vulnerability that has resently been exploited by a wide-spread brute-force attack. I have just finished fine-tuning my security patch for the WordPress login file and I am just now able to breath again and catch up on the regular stuff.

If you click on the linked filename for any file that has been found to contain threats, you can see the contents of that file with a list of links at the top for each match found in that file. clicking on those links at the top will usually highlight the malicious/suspicious code.

After you run the Automatic Repair you can click the linked file again and, if the file still exists, you will see the new contents (which should not have any malicious code).

FYI – Comments are stored in the database and not yet scanned by this file scanner. You should look into comment security/spam plugins and maybe tighter database security to prevent this kind of thing.

Thanks for the reply. I understand your hard effort the wp-login.php has come up twice for me. I’m relatively new to WP and when I found comments with spam even though there was no new member I was really surprised

I also learned when one is spammed in WP you need to move the file to the spam folder so the anti spam will learn and then block. I was deleting them all together and banning the IP of which is a near useless process. I have two spam plugins now, one for comments and the other for registrations.

Just spent the last half hour reading your comments Eli. You are heaven sent and plan to be a regular donor as well. Maybe sometime you can also look into the guts of my blog and see if we have all of our bases covered. Thanks again!

After running the scan, two of my files were quarantined and now I cannot log back into my site. I need help….NOW! I cannot find any place to contact you on this site other than here. Did I donate to a legit business?

I had my problem resolved by Eli and in a most professional and timely manner! At this point, I highly recommend this plug-in. I wish Eli lived next door but he actually handled this problem like he was a neighbor already. Thanks Eli, you rock!

Hi! Thank you so much for your plugin! My site was recently hacked with malware. It seems that only Chrome is blocking access to my website. I tried to run the scan a few times, and it did not find anything. There was a long list of suspicious files, but I have no idea how to go about checking them. With the most recent update, I was able to find and delete a Login Exploit, but I’m not sure if that removed the malware.

I’m also getting this message “Another Plugin or Theme is using ‘wpfbogp_callback’ to hadle output buffers.
This prevents actively outputing the buffer on-the-fly and will severely degrade the performance of this (and many other) Plugins.
Consider disabling caching and compression plugins (at least during the scanning process).” and I’m not sure which plugins are interfering.

Is there any way you can help? It would be much appreciated, and I’d be happy to donate to your plugin. Thank you!

I ran the full scan after registering (I had not donated yet), it identified several threats and I clicked to repair… It said all was clean, but I checked with webmaster tools and it said I was still infected. What do I do now? Feel free to contact me to discuss further. thanks!

I think you are actually clean. If you look at the details of that “malware” that sucuri is finding on cheflou.com you will see that it is just an iframe in the footer that is supposed to load some content from your site (hawksviralmarketing.com). Is that not something you have engineered? (It doesn’t show anything anyway).

I’m guessing this is just a false positive from sucuri.net

If you do need to remove it, the code is in the Theme’s footer.php file, and the iframe content is loaded from the wp_options with the option_name of either ‘revchurch_abcode’ or ‘revchurch_subtit’.

I have reinstalled WP to the latest version. Gotten rid of all plugins, and then fresh installed only one that I use. Anti-malware says there are not problems but when I asked for review from Google, I still get a message that there is a script embedded.
URLs Type Last checkedhttp://www.dobbinsfamily.net/?cat=4 Code Injection 3/25/13http://www.dobbinsfamily.net/?cat=5 Code Injection 3/5/13
Please advise.
Xochi

I have three questions that I can not find answers for on your site…maybe my click skills fails me…

1. Do the plugin scan the content of the database?

2. Do the plugin handle multisite setup (where for example each blog have one wp_post table each)?

3. I see in the comments you have noticed a person that have issues with things similar to pharma drive by issues where for example google bots get different results (with the scam) while others do not. Have you included checks for such things (yet)?

My plugin does not scan the database yet but it could be made to do so. It specialises in finding and removing malicious CODE from the files on the server (single site, multisite, even non-WordPress sites). Because my plugin scans UN-compiled code from the back-end it does not need to detect the user-agent specific code designed for crawlers like googlebot. I have seen my plugin detect malicious code when other scanners (like sucuri) fail to detect anything on the front-end of the site. I can also detect back-doors and security holes that cannot be found by crawling the indexed pages of the site from the outside.

Of course nothing is going to protect you 100% from any attack. My plugin takes an approach unlike other security plugins and it has proven to be a very useful tool for getting/staying clean. I will continue to support it and improve it to keep it up to speed with the newest threats and security holes as they are discovered.

Just donated, plugin works amazingly well: got rid of all the malware when other plugins and my own attempts only weeded out a portion of the problems. Got unblocked by Google within 48 hours of running the scan and automated fixes.

Annoyingly, Google keeps giving the old (malware-infected) results, though: as you can see here: http://knotoryus.com/knot.png. Any idea of this goes away by itself or do I need to take further action?

Thanks for praise but it looks like you still have a nasty script in there that my plugin didn’t catch yet. It generates that “work from home” content if the REFERER of USER_AGENT is Google. I would like to find this threat and add it to my definitions update.

If you are willing to give me access to your WP Admin I will find it and remove it for you. You can send your credentials directly to me: eli at gotmls dot net

Thanks for your donation. I would be happy to help you. I can see there is some external javascript being loaded on your site. I will need to login to your WP Admin to find the source of the injection. You can send login credentials directly to me: eli at gotmls dot net

Hi, donated hoping you can give me a hand. Found 2 non-wp files that were eval base 64 ridden and trashed them. Hosting had a problem a while back and I think that’s when it happened. Your scan is showing quite a few others that are warnings but I don’t know if they’re legitimate or not. Do you think you could take a look? I’ve been blocking IP addresses for days. Thank you for your plugin – I donated!

Hello I do want to use your plugin.
But the problem is my client site is not running at all it is not even allow me to open the admin panel in this case can you please let me know how can i cleaned up my client site i need to done it asap.

I can see that your server is sending a 500 error on every page. I can help you get your site working again and install and run my Anti-Malware plugin but I will need to start by fixing the login page.

I need FTP access to to get started and I may need cpanel access to view the log files too.

Hi Eli
So we updated the definitions and your plugin found the problems and cleared them immediately. Our exchange rate is a bit of a bastard, but you had better believe I will be back at the end of the month to donate. This is the single most useful plugin I’ve come across. Really lovely. Thanks so much.

I am constantly amazed at the level of customer service that Eli provides for his plug-in. I have used his product on (3) separate wordpress sites, and cannot recommend it enough. Many thanks, Eli, for always being there to shrink my headaches away! Just made a donation – please keep it up!

This plug in is outstanding. FIVE STARS! I made a small donation and will make more in the future. It is well worth the cost. In the 4 years that I have used WP, this may be one of the most valuable and essential plugins that I have installed.

My site is a music news e-zine that is recognized on Google and Bing News. We cover local, national and global artists. We have readers all over the globe. If our site is down because of malware it damages our brand and reputation. In addition it denies fans coverage of some very talented music artists who work very hard practicing their craft.

Nice to know that those of us that have had Malware issues have an ally and support in this area! Thank you, Thank you! Thank you Eli!

Thank you so much Eli for not only creating this plugin….but also your diligence to go beyond the call of duty to find a new hidden definition. I’ll definitely be adding this to other wordpress sites and checking in regularly.

Hi, i’m infected with Pharma Hack… Just got into a lot of blogs and howtos…. Here is the thing: I was infected using wordpress 3.4.1… Just updated to 3.4.2 and all things got right again…… I’m kinda reinfected… But i can’t find any infected file using find|grep|etc… I can’t find anything in the database tables too… It’s just affecting my rss, rss2, atom feeds…. Don’t know what to do anymore…

I try to use your plugin to see if it could help me find anything, but, no….

Do you have any idea what could i do??? without having to reinstall all the site… because my site is kinda heavy modified by hand in various files…

I’m happy to help you with this infection and I’m sure we can get it cleaned up.

The first thing I see is that it doesn’t appear that you have registered my plugin on your site yet. You should do this first and then download the latest Definition Update from the Scan Setting page in your WP Admin.

Then you can run a Complete Scan to see if it finds any “Known Threats”. If you need any help with any of this just let me know what I can do.

“Potential Threats” are usually ok and should not be removed. They are there just to help you find possible exploits when you cannot get your site completely clean. When I find new Threats I add them to my definitions of “Known Threats”.

Ive been running your plugin for a few months now and its cleaned up lots of my site’s.
this morning a couple of my sites have been blacklisted by google for a malware .
the plugin says its clean .the infected files are all java script exploits ,because im on shared hosting its infected about 12 sites.
I dont know if your plugin could be updated to include this but it would be great if it could .
here are the details:http://labs.sucuri.net/db/malware/mwjs-iframe-injected515?v4

If you want to send WordPress Admin credentials to my email (wordpress at ieonly dot com) then I can get my plugin on that site to scan all the site at once. I will also look Through the “Potential Threats” to see if there are any malicious scripts that are not being identified correctly.

Thanks, There’s more to come. I’m working on a white-list feature now that should be ready by the end of the month. This will eliminate a lot of the benign scripts from coming up in the “Potential Treats” section.

Just wanted to stop by and let people know Eli is the real deal. I own and operate Reviewboard Magazine (Reviewboard.com) and we are in a weird spot in the food chain when it comes to product reviews. Because we do reviews on just about everything consumer related we fall into the mainstream consumer publication category of which we are actually the 2nd most popular in the United States. Go figure. We ended up getting a web STD and google crippled our website by putting up the malware stop page and listing our website as a malware site. Our advertising was stopped (Adsense) and things came to a crashing halt.

NO ONE knew how to fix this situation properly and we tried. I posted here and ELI responded within a few hours. I trusted him and gave him admin access to our website and he did not disappoint. This man is a saint. He fixed the issue I was having with his plugin, he removed all the malware issues, and we were able to submit a request for review with google… it was successful and we are now back in action.

Without Eli we would have had to rebuild our web server VMs, our database VMs and cut, copy and paste every article we had to make sure we didn’t have any malware. This would have taken a month and hurt us badly. I can’t tell you how grateful I am to Eli and his plugin. We are forever in his debt. If you haven’t donated for this plugin, you should really go do that now. His time is worth every cent, and we will be donating regularly to help his efforts here.

Can you explain what is this?
Your great plugin found this as a critical issue(vulnerability) I am just a basic WP user, so i have no idea what these codes are. I automatically fixed the issue using your plugin but these codes are same in look as it was before Using your plugin. I am using a Theme where i found this issue

I see this is a file that has already been cleaned by my plugin. Although this line of code is very cryptic and was, no doubt, a setup for malicious injection, it is missing the eval() statement at the end that would have executed this code, so it is now harmless. It’s like a bee without it’s stinger or a gun without bullets.

I wrote this plugin to automatically remove the threats from any file without damaging the remaining code in that file. Sometimes this leads to leftover garbage in the code that is not pretty but, by itself, is not dangerous. Since there is nothing left, in this particular file of any worth, you can delete the files if you want to.

Please let me know if you have any other question or any other files you want me to look at.

I hope you have already read the FAQ about “Potential Threats”. If so, and you have some “Known Threats” (in red), then you could send me a screenshot of the scan results or an admin login to your site and I’ll take a look at it for you.

H! guys I just wanted say thank you so much for this amazing plugin. I was opening all my files and doing a search and replace… That worked sometimes but other times will totally destroy the site and template. I like that you added the option to revert the changes. This plug just gets better by the day. I just wanted to drop by and tell you that I will donate as soon as I get all my websites back and running. I will add all my websites and give you a good donation.

I also made a video for those who have issues login in the admin because of malware. This will help you access the admin and also help you get all your files back up and running.

Hi, have been using your plugin to clear the problem but it just returns within minutes so trying to find the back door. base64 decode is stated to be a problem but this is in your plugin. Should it be or do i need to delete this,

I updated definitions and expanded the search range on the site you gave me access to. It now searches starting in the public_html directory and finds the new threats that were previously undetected. I took the liberty of removing all the threats that were found within all sites in the public_html folder. Please let me know if your infection returns again. I am happy to continue working on this until you are completely clean.

Thanks, I’m glad you found it. I’m posting this answer here anyway so that others can find it too if they have the same questions.

To scan just the Theme folder just click on the linked option “wp-content” under “Scan What:” and check the box by “themes”. This specialized scan setting does not save, so after the scan is performed it returns to the option to scan the whole wp-content folder.

Also, I would be interested to hear why you would want to scan only the themes folder. If you want to tell me more you can email me directly at registrations at gotmls dot net.

Your plugin is a fantastic piece of work and really saves me alot of time trying to locate all these viruses people like to put on your website. While your plugin works well and keeps fixing the problem. The hacker keeps being able to change a line in the /wp-config.php file.

Could I suggest that that you potentially make the plugin fix problems automatically without having to keep pressing auto repair. Because it consumes alot of your time when you keep getting the same problem every other day and then having to sign in to do the same process over and over again.

Maybe allowing users to have the plugin (option) to fix the problem automatically without having to constantly approve it. If a potential problem arises, you can do the same as you currently do with the plugin which is revert to the previous settings.

Thanks you for the complement and the suggestion. I have that idea already on my To-Do-List. I am wanting to add some kind of cron job to run automated scans and email the results to the admin. Right now I am working on making the scan process more robust. If I have enough time and some good donations I should be able to work that feature in by the end of the month though.

However, a better answer to your problem would be to stop the attacks. If you are removing all the threats and they are coming back the next day I would suspect that we have overlooked a vulnerability on your site. I would love have the opportunity to investigate why you continue to get re-hacked. If you want me to look at it for you just email directly (I will need your WP admin credentials and FTP access would help to).

Great Plugin… Been using it for a little bit and will donate in a few.. The only problem is I get the wordpress sites clean, however days or sometimes hours later they are re-infected.. What else can I do to get them clean and prevent re-infection?

It sounds like my plugin is doing a good job of removing the malicous scripts that it finds but it doesn’t seem to be finding the vulnerability in your WordPress site that is allowing you to get hacked

I would love to take a closer look at it for you. If I can track down the source of the infection then I can add it to my definition file so that everyone who uses my plugin will benefit.

Hi there, i give it a try on my infected website, it is work good, even when i try to hide it, this plugin still found it. now my question is, if i want to register multiple website with one account, how much the donation should be, and is it once registration and lifetime update? please advise. thank you

Thanks for the complement. I am glad to hear that it worked well for you. As for how much to donate, I have not firmed that up yet, but my general thinking at this time is $10 per site (depending on your ability to pay and the number of sites you have). This is of course still completely up to you how much you give but thanks for asking.

Hope you down aprove this comment, at least not until you can fix the XSS hole. The plugin has a security hole, see details:

At index.php find the occurrence of “$_SERVER['REQUEST_URI']”
This XSS vulnerability is exploitable, because input is not checked for html characters. To fix it we need to replace it with
htmlspecialchars( $_SERVER['REQUEST_URI'] , ENT_QUOTES )

Thanks. The more donations I get, the more time I spend making this plugin even better. I know I could make more money if I charge for this but then I wouldn’t help as many people. I always feel good when someone voluntarily pays like you did. Thanks for your support and tell your friends.

Just installed your Plugin and it did a thorough scan ..lots of yellows ; am sure most of them are legit files , no problem but the bottom line is felt relieved! Now I have a scan to alert real threats and it’s really simple to use yet compact and essential ! Thanks a lot for your hard work !

Thanks. You can only Repair “Known Threats” highlighted in RED. The “Potential Threats” in YELLOW are usually not malicious but you should still check them and if you can identify any malicious code you can send it to me and I’ll add it to the definitions as a “Known Threats”.

There should be possibility to register multiple sites with one e-mail address. I have many websites, and I don’t want to open that many e-mail addresses. I got the same malware again, someone removed the plugin and installed the script again. Does it mean the virus is on a server, or it’s simply someone hacked my password?

Thanks for the suggestion. I am working on the feature now to allow multiple keys to be registered under one email account and user.

If you are getting re-infected it may be that your site still has a vulnerability that continues to be exploited or, if you are on a shared host, it could be another site on the same server is infecting your site.

I can upgrade your registration to include a higher level directory. This may allow you to scan multiple sites on your server from one admin account. If you would like to try this please email your request to registrations at gotmls.net

Thanks so much for your help with your plugin. It was able to fix issues on my site that I wouldn't have been able to find. I really appreciate the work you put in to making such a valuable tool and I hope my $15 donation helps your project.-- Kevin